MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 14 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
SHA3-384 hash: ae9833f248440575cb22e1618044747ecb7f8595074613d5a9803e86336c14c8dd2414270985ba824eb14f480592de72
SHA1 hash: 49d7a9eb258f5ee93c3985e38e4eca852c37dfef
MD5 hash: 0455be9da54c7231fea1f2fae056f36d
humanhash: seventeen-social-indigo-california
File name:0455be9da54c7231fea1f2fae056f36d
Download: download sample
Signature Loki
Create hunting rule
File size:361'472 bytes
First seen:2023-04-20 02:26:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e690d90f10792337897b6f984bebcd48 (3 x RedLineStealer, 1 x AZORult, 1 x GCleaner)
ssdeep 6144:g2euhqu9r/bsW+ERywB6v01RfRmI0Hn20:g2Dhb5zsW+jwY017AP
Threatray 3'989 similar samples on MalwareBazaar
TLSH T1A3746B3262D0A875E5274B758E1EC6B47A6EF4605F567BEB23484A3F0A701E1C6B230D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0894c2f0c848404a (1 x Loki)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
0455be9da54c7231fea1f2fae056f36d
Verdict:
Malicious activity
Analysis date:
2023-04-20 02:29:13 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/caee3ec0-6f84-41e0-b964-4d67877b4c39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383588/
Detection(s):
Sanesecurity.Malware.29230.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Sending a custom TCP request
Stealing user critical data
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6440a2f7cf53491c99887c83/reports/7cc5f6b9-cfca-4fe7-8858-15833aeb8178/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ceaaec42-2638-493c-88e0-d80131aef6e8
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217590
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 13:13:57 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=spgbnx7iyecxt4unrvybs324mqceje4brbq7gle5h2hrltb3pkva._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1882ef98c83f81bd10838fa43586217c016ff2631d5ee2f380216e1620cfdc60
Loki
34c08a4a4807d6287eb560a40cfee218dc48d98edc8e1cd7e239ee94d11eb81d
Loki
45b5b4972cd637a4b69b650a10e956a8071a46784429d7434b226675bf72a21a
Loki
5c9d7e276aa2d724c5398e53a897d3a9b2b59526212450889fabeb8597d6638c
Loki
78c4f76d5f6dacc7d2759dea334aede899237a62be411e37371e010de670fc57
Loki
b90aaf4e321b606013366e13cd76419afc3703d9c4c974f2a0d303bfac6911bd
Loki
c2e87e031cf06cfbc066444c30dc76d1377857012a034143c7b039b292da73b9
Loki
efce89f65bb53604b0644ff4949e0772116ac49778971dba3c6d80cd53fb2403
Loki
+ 3'979 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230420-cxevdsha5y/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://185.246.220.85/fresh/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
07686bd3670d7660420f09f8771135bb16588e15b45561219ead1841952d38f1
MD5 hash:
046a6366921953d042f7a0ffcb26c50d
SHA1 hash:
2dd27e32320fc0277397f57d24ed4b13d99e09ac
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/fbba5f8d-a8b6-4b7f-b0d3-779b8d4bdc8b/
Parent samples :
4de70d7c97aac4c236396bb488f748b432fda9537e06afa042a77235b1cb8117
36ffec829c35dbf09529550e086446cfd835b4a43c71014ab217783fde2bdb9f
dc77fa38dcbfa8304ae07b051d7658f367286bc92005d327a34c944975719b00
ae4a3ef24f5482b9344969457ac89e08d2598a3721f1725325e86039758f91a2
763fc70c680ac478f31474306d6bb7a0f34893f98d691e0a49b6948a800cf7d4
307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0
db182e4d02790fa627a9d62e3b9439203d2dd5c88c44a5355a7681b7defe24da
93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
f85b9025ca21804e4ef484b69c89ab2f70de661606b5987e8ff32111256b2a70
90d7dc2cd673fb159368c95d06eb59523898f1498a6d9ce5eb8618690d93e724
15a2d3053598efc70f0ac04252def24ef4dcb216b0ef0a25a957916c8a42207c
72e9d6672de64aae16ae8f4433a9ed08171a7f86decb0d134a03123dd93035d8
21e0ec96d06a0b1e71712fd34ce50e1e4c5a937e8fe8c21f89c5eade948affd5
b6219cebfd6180b0278dc07062893751f3e9c056a23b0b876b2752513cc4a1a5
d3d3facae5e604eded7bf28b146dff57334aa0d9691f1f32eb6f0a30f819bcb8
b7af929b8d99a8a2ec29774cd6c8cf77071b4c865bfe140aedf8b181ce54df89
63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
da108473566740a4ecd7f86677ee7a22779808be300f3329ca4a6d8877d0fcdf
4e21a93e941a2e0899526af6e6196ab23b2c916bdd01a396a7c546122b1980df
d9b8816dc05c98d38419c94b02dc18ebd9494d13088ca2e1bb757f987001c1fd
0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092
07d199eaef476d20fa7fde86555086bc6193f7426f4b38513299928f06939d8f
1290e2fa7dd284fcddc2bf9caeac02ccbae1f1e715766eefd7644c245a6ecc53
35c38475ab2e902a2f2c56b2b17f27afb10b3b56365c853a8bb33a9c906366e8
48e32c11cf9fe47ee75f05a9cd9c1bf4598869fe1564eaf7c1bbabf309e823b1
9d19092e410ffb1914d7cd9271ec34b5aa8973eda65fd821851e53921a7017fe
SH256 hash:
93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
MD5 hash:
0455be9da54c7231fea1f2fae056f36d
SHA1 hash:
49d7a9eb258f5ee93c3985e38e4eca852c37dfef
Link:
https://www.unpac.me/results/fbba5f8d-a8b6-4b7f-b0d3-779b8d4bdc8b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93cc16dfe8c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2614337/
Cape
Cape
https://www.capesandbox.com/analysis/383588/

Comments


Avatar
zbet commented on 2023-04-20 02:26:14 UTC

url : hxxp://202.55.132.183/59/vbc.exe